Auditing Standard No. 5 was created to supersede Auditing Standard No. 2 after results from monitoring indicated that concerns arose. An issue concerning AS2 involved significantly greater cost in correlation with achieving enhanced focus on corporate governance, financial statements, and controls within a public company. In addition to cost increases, the effort in conducting an effective audit of internal controls over financial reporting seemed excessive. After consideration and insight, the Public Company Auditing Oversight Board (PCAOB) amended AS2 and implemented Auditing Standard No. 5. The newly adopted and revised standard continued to place emphasis on primary objectives involving the detection of material weakness before they caused material misstatements of the financial statements and advise auditors from using procedures that are not necessary for the intended benefit. Auditing Standard No. 5 encourages auditors to focus on important matters in respects to internal control, therefore addressing the problems concerning excessive cost and time commitments under AS2.
Get your grade
or your money back
using our Essay Writing Service!
Auditors are encouraged to use the top-down approach when selecting controls to test during an audit of internal control over financial reporting as stated in Accounting Standard No. 5. Beginning with the financial statement level and understanding the overall risks to internal control, the auditor works down to entity-level controls and finishes with significant accounts and disclosures and assertions. The approach helps auditors focus on areas that present a high probability of material misstatement. Attention to accounts, assertions, and disclosures that present the most risk will further ensure financial statements and related disclosures are free from material misstatements.
Identifying Entity-Level Controls:
Ensuring that a company has effective internal control over financial reporting involves testing significant entity-level controls. If the auditor is not satisfied with the evaluation of entity-level controls, additional testing can or will be done in other areas of control. There exists a variety of entity-level controls including control environment controls, those that monitor the effectiveness of other controls, and controls designed to prevent or detect misstatements of relevant assertions on a timely basis.
Entity-level controls include controls related to the control environment, management override, risk assessment, results of operations, period-end financial reporting process, and others designed to combat material misstatement. The control related to control environment represents an important step in determining whether effective internal control over financial reporting exist that auditors must complete the evaluation at the company. Management's philosophy and operating style, integrity and ethical values, and board/audit committees ability to exercise oversight responsibility should be assessed by the auditor.
The evaluation of the period-end financial reporting process will help the auditor determine the effectiveness of internal control over financial reporting and the financial statements. The period-end financial reporting process involves a series of procedures including those used to enter transaction totals into the GL, selection and application of accounting policies, journal entry activities, recording adjustments to financial statements, and preparing financial statements and disclosures. The auditor will assess the processes the company uses to produce financial statements, use of informational technology, management participants, reporting process locations, adjusting/consolidating entries, and managements, boards, and audit committees oversight of the process.
Identifying Significant Accounts and Disclosures and Assertions:
Throughout the audit process, the auditor will indentify significant accounts, disclosures, and assertions. Relevant assertions include existence/occurrence, completeness, valuation/allocation, rights and obligations, and presentation/disclosures. The latter have a high probability of containing misstatement and therefore should be evaluated. A similar process is used to evaluate accounts and disclosures using quantitative and qualitative risk factors. These risk factors include account size/composition, errors or fraud susceptibility, volume and complexity of transactions, nature, accounting and reporting complexities, exposure to losses, significant contingent liabilities, related party existence, and changes made from prior period.
The auditor must determine where issues could arise within accounts or disclosures that would result in materially misstated financial statements. Identifying the significant accounts and disclosures involve the same methods for auditing internal control. In some cases, companies may have multiple locations and businesses that involve consolidated financial statements, in which case auditors will apply multiple locations scoping decisions.
Sources of Misstatement:
Auditors must be able to effectively identify sources of misstatement. Objectives including the ability to understand the flow of transactions, identifying points within a company's processes that may contain misstatements, identifying management's controls to address potential misstatements, and controls that management implements on company assets will guide the auditor or whoever is assisting in the process. Understanding the IT functions and performing walkthroughs will help the auditor complete objectives listed. The walkthrough process will involve inquiry, observation, inspection, and re-performance of controls. Questioning personnel and walkthroughs will provide increased assurance that necessary controls are not missing or designed ineffectively.
Selecting Controls to Test:
Always on Time
Marked to Standard
Completing an efficient audit includes testing controls that are important to an auditor's conclusion on assessed risk of misstatement to assertions. It is not necessary to test redundant controls or all controls related to assertions. Determining the controls to test should involve assessing risk of misstatement to an assertion rather than a title/label.
Material Weakness versus Significant Deficiency:
A material weakness is characterized as a single or combination of deficiencies in internal control over reporting that present a reasonable possibility that a material misstatement, that will not be detected and prevented in a timely fashion, exists within a company's interim or annual financial statements. A significant deficiency has similar characteristics but is deemed less severe than being a material weakness. Although a significant deficiency is less severe, attention by those responsible for the oversight of the company's financial reporting is required.
When auditors search for weaknesses in the internal control indicators including senior management fraud, restatements of previously issued financial statements due to misstatement, misstatements found by auditor that would have not been detected by internal controls, and ineffective oversight by company's audit committee. If deficiencies are found, the auditor should determine the degree of assurance needed to confirm that the preparation of financial statements conform to GAAP. If this is not the case, the auditor will determine that the single or combination of deficiencies is an indicator of material weakness.
Communicating to Audit Committee vs. Audit Report:
Material weaknesses that are identified during the audit process must be formally written and sent to the audit committee and management. This process is completed before an auditor's report on internal control of financial reporting is created. When an external financial reporting and internal control over financial reporting is deemed ineffective, the board is made aware by written communication from the auditor. In addition to material weaknesses, significant deficiencies are communicated via a written report to the audit committee. There is no need to repeat information that has been presented in previous issued written communication relating to deficiencies in internal control over financial reporting found during an audit made by the auditor, other organizations, or internal auditors. The auditor is not held responsible for finding all control deficiencies using procedures, but only that he/she is made aware. No report will be issued stating deficiencies were not noted during the audit because he/she does not have assurance that all deficiencies less severe than a material weakness has been identified. The auditor must be aware that they are held under the Consideration of Fraud in Financial Statement Audit AU sec. 316 and 317 to take responsibility for fraud or illegal acts discovered.
The auditor's report concerning the audit of internal control must contain a variety of elements including a title (includes the word independent), management is responsible for internal control, management's report on internal control along with a definition, audit met standards of PCAOB, reasonable assurance was created about material aspects, opinion has basis, inherent limitations may not detect all misstatements, and control criteria formed the opinion on effective internal controls. The last items that form the audit report include the signature of the auditor's firm, city and state identified as where the report was issued, and the date of the audit report. These elements form the foundation of an auditor's report.